Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
OpenShift Controller Settings
This section contains recommendations for the kube-controller-manager configurationGroup -
Kube controller manager config data name
Kube controller manager config data nameValue -
Kube controller manager config filepath
Kube controller manager config filepathValue -
Kube controller manager config check - port should not be zero
Kube controller manager config check - port should not be zeroValue -
Kube controller manager config check - rotate kubelet server certs
Kube controller manager config check - rotate kubelet server certsValue -
OpenShift - Logging Settings
Contains evaluations for the cluster's logging configuration settings.Group -
Ensure Controller insecure port argument is unset
To ensure the Controller Manager service is bound to secure loopback address and a secure port, set the <code>RotateKubeletServerCertificate</code>...Rule Low Severity -
Ensure that the RotateKubeletServerCertificate argument is set
To enforce kubelet server certificate rotation on the Controller Manager, set the <code>RotateKubeletServerCertificate</code> option to <code>true<...Rule Medium Severity -
Ensure Controller secure-port argument is set
To ensure the Controller Manager service is bound to secure loopback address using a secure port, set the <code>RotateKubeletServerCertificate</cod...Rule Low Severity -
Configure the Service Account Certificate Authority Key for the Controller Manager
To ensure the API Server utilizes its own key pair, set the <code>masterCA</code> parameter to the public key file for service accounts in the <cod...Rule Medium Severity -
Configure the Service Account Private Key for the Controller Manager
To ensure the API Server utilizes its own key pair, set the <code>privateKeyFile</code> parameter to the public key file for service accounts in th...Rule Medium Severity -
Ensure that use-service-account-credentials is enabled
To ensure individual service account credentials are used, set the <code>use-service-account-credentials</code> option to <code>true</code> in the ...Rule Medium Severity -
OpenShift etcd Settings
Contains rules that check correct OpenShift etcd settings.Group -
Etcd config filter
Etcd config filterValue -
Etcd config file path
Etcd config file pathValue -
Disable etcd Self-Signed Certificates
To ensure the <code>etcd</code> service is not using self-signed certificates, run the following command: <pre>$ oc get cm/etcd-pod -n openshift-et...Rule Medium Severity -
Ensure That The etcd Client Certificate Is Correctly Set
To ensure the etcd service is serving TLS to clients, make sure the <code>etcd-pod*</code> ConfigMaps in the <code>openshift-etcd</code> namespace ...Rule Medium Severity -
Ensure ETCD has correct cipher suite
Check the current cipher suite used in ETCD.Rule Medium Severity -
Enable The Client Certificate Authentication
To ensure the <code>etcd</code> service is serving TLS to clients, make sure the <code>etcd-pod*</code> <code>ConfigMaps</code> in the <code>opensh...Rule Medium Severity -
Ensure That The etcd Key File Is Correctly Set
To ensure the etcd service is serving TLS to clients, make sure the <code>etcd-pod*</code> ConfigMaps in the <code>openshift-etcd</code> namespace ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.